b'                               OFFICE OF INSPECTOR GENERAL\n                                                MEMORANDUM\n\n\n\n     DATE: February 9, 1998\n\n       TO: Daniel Phythyon, Chief\n           Wireless Telecommunications Bureau\n\n     FROM: H. Walker Feaster III, Inspector General\n\n SUBJECT: Special Review of Auction Application Security\n\nAs part of our on-going effort to ensure protection of the\nCommission\'s information resources, this office has recently\ncompleted a review of the security of the FCC Auction\nApplication.   To conduct this review, the OIG established task\norder number two (2) under our contract with TWM Associates, Inc.\n(hereafter referred to as "TWM").\n\nOn September 16, 1996, the Office of Inspector General issued a\nSpecial Review report, Report No. 96-6, entitled "Special Review\nof Auction Site Information Technology (IT) Security." This\nreport identified the results of our review of Information\nTechnology (IT) security at the Commission\'s 2 Massachusetts\nAvenue facility. Because of the timeframe under which this\nproject was completed, several critical components of the auction\nsystem were not evaluated including the auction application\n(i.e., FCC Auctions System), IT security at the Gettysburg\nfacility, and Internet connectivity (including firewall\nconfiguration). This review was intended to evaluate the auction\napplication component of the overall automated auction program.\n\nThe specific objectives of this task were twofold. The objective\nof phase one was to identify and evaluate the system of controls\nestablished within the FCC Auctions System application to ensure\nthat they provide a secure environment for participants in the\nspectrum auction process. This evaluation included the complete\nsystem of controls including automated controls (e.g., those\ncontrols employed by the PowerBuilder and Sybase DBMS software)\nand manual controls (e.g., distribution of passwords, resetting\nof accounts, etc.). To accomplish this objective, TWM reviewed\nsystem documentation and interviewed system management personnel\nto identify existing manual and automated controls; designed\ntests for each control identified and conducted tests to\ndetermine operational status; identified areas where controls can\nbe improved; and developed recommendations for specific control\nimprovements.\n\x0cThe objective of phase two of the review was to examine the\ncontrols associated with system operation and maintenance. These\ncontrols should assure that adequate processes have been\ndeveloped for operating the Auction System and monitoring and\ncontrolling changes to the system. To accomplish these\nobjectives, TWM reviewed policies, procedures, and standards\nassociated with Auction System operation and maintenance;\ninterviewed personnel involved in the systems operation and\nmaintenance process; examined system documentation (e.g., flow\ncharts, data diagrams, etc.) to verify that all system\nmodifications are accurately reflected; identified areas where\ncontrols can be improved; and developed recommendations for\nspecific control improvements.\n\nIn general, our review indicates that the Auction Application\nremote bidding software functions as it was intended for bidders\nparticipating in auctions. However, the review team did identify\ncontrol improvements which can be made in the areas of\nsegregation of duties, accountability within the application,\nadequacy of contingency planning, and overall access controls.\nMany of these control improvements were being addressed at the\ntime of review completion. In addition, we observed that\nCommission employees and contractor personnel managing the site\nare committed to continual improvement of security as part of\ntheir operational mission.\n\nA copy of the Special Review Report prepared by TWM and\ncontaining specific observations and recommendations is attached.\n This report, Report No. 97-4 entitled "Special Review Auction\nApplication", contains sensitive information. For that reason,\nwe recommend that you restrict distribution of this report to\nthose personnel in your organization with a need for the\ninformation. If you would like to discuss this review please\ncontact me at 418-0470.\n\nAttachment\n\nCC:   John Giuli, WTB Auction Division (with attachment)\n      David Jarrell, Computer Security Officer (with attachment)\n\x0c'